Arcade raises $60M to be the secure action layer for AI agents

Arcade.dev raised a $60 million Series A on June 22, 2026 to build what it calls the secure action layer for production AI agents, the first sizable round aimed squarely at the gap between an MCP gateway and a working enterprise agent deployment. The round was led by SYN Ventures, with strategic investment from Morgan Stanley and Wipro, and brings total funding to $72 million.

What Arcade is actually selling

Arcade's product sits in a specific spot in the agent stack that the broader market has not yet decided how to name. It is not a model router, not an MCP gateway, and not an agent framework. It is an authorization and execution plane that an agent calls into to take a real action on a real system, with the same identity and policy context the user behind the agent would have had. The product has three layers, and the announcement describes each one in language that maps directly to the failure modes enterprise teams keep running into.

The first layer is authorization. Agents get the access the user has, only for the action they are taking. The framing is critical. It is not "the agent gets root" or "the agent gets a service account." The agent gets the user's permissions, scoped to the single action it is performing, and Arcade handles the consent flow that goes with that. No standing permissions, no overprivileged service accounts, no leaked PII or data loss, no blast radius when an agent hallucinates. The team is taking the same model that worked for human SaaS users and reapplying it to non-human identities, which is the only sane read of the new security reality.

The second layer is reliability. Arcade ships more than 8,000 MCP tools that are purpose-built for the way agents actually use them, not API wrappers. The distinction matters. Most "agent tools" in 2026 are thin shims over REST endpoints that were designed for human CRUD users. Agents call them in loops, with retries, and with non-standard parameter combinations. Wrappers break at the seams. Tools written for agent semantics survive that loop. The number, 8,000, is a meaningful signal because it shows the company has been building this catalog for long enough that the long tail is covered.

The third layer is governance. Every action Arcade takes produces a complete audit trail: which agent, on behalf of which user, against which resource, with which scope, at which time. This is the log line every security team will ask for the first time a regulator shows up, and it is the log line almost no agent stack in 2026 produces by default. "Governance is not a feature you bolt on at the end," Jay Leek, Arcade board director and managing partner at SYN Ventures, said in the announcement. "It's the foundation. If you can't answer who did what, you don't have a production system, you have a science project."

Why the round matters now

A $60M Series A into an agent authorization company would have looked premature in 2024. In June 2026, it looks late. The reason is the gap between what enterprises are buying and what the agent stack can deliver. Most agent platforms in production today can route a request, choose a tool, and call an LLM. The ones that can answer the question "is this agent allowed to do this thing, for this user, against this system, with this scope" are the exception, and most of them reach for an out-of-band identity provider, an OAuth layer, and a custom audit pipeline, all of which the agent developer is expected to wire together by hand.

Arcade's bet is that the demand for a real authorization plane is not the marginal feature that gets bolted on. It is the central primitive that every production agent stack will need the same way every web application needs an auth provider. The investor list reflects that framing. SYN Ventures is a security-focused firm. Morgan Stanley's strategic investment is the read-the-room signal that the financial industry, which is the most cautious segment in enterprise tech, sees this as a primitive they will need. Wipro's presence is the systems integrator signal that the consulting layer is also buying in.

The MCP authorization specification is the second lever. Arcade authored the spec, Anthropic adopted it, and the company is the only one running it in production at the scale the announcement claims. Spec authorship plus reference implementation is the playbook that won Okta its position in the early 2010s SAML stack and that won Mongo and Redis their positions in the cloud data layer. The pattern is consistent: a vendor writes the spec, ships the reference implementation, and waits for the rest of the ecosystem to catch up. If the MCP authorization spec follows the same arc, the rest of the agent stack will spend the next 12 to 24 months either implementing it natively or shimming Arcade in front of their existing auth layers.

The third lever is the talent. The founding team is drawn from the identity, data, and integration layers at Okta, Redis, MongoDB, Snowflake, and Airbyte. That is a specific profile, and it is the profile that gets hired to build the kind of infrastructure that ends up looking obvious in retrospect. The same people built the kind of plumbing that Fortune 500 enterprises now treat as table stakes. The company is hiring aggressively to scale the playbook into agents.

The three open questions

A $60M Series A does not answer every question an enterprise buyer will ask. The first is lock-in. Arcade is the reference implementation for a spec it wrote, which is convenient for Arcade and uncomfortable for anyone who wants to swap it out. Anthropic's adoption of the spec helps, but the spec text, the reference implementation, and the hosted service are all from the same vendor today. Enterprise buyers who have been burned by single-vendor identity stacks will want a clearer answer on who owns the spec evolution and what the migration path looks like.

The second is the catalog. 8,000 MCP tools sounds large until an enterprise buyer compares it to the 50,000-plus SaaS APIs a typical Fortune 500 actually runs. Arcade is betting that the long tail of agent actions will consolidate around a smaller, agent-native set of tools, which is plausible but not certain. If the long tail fragments, the catalog becomes a moat. If it consolidates, the catalog becomes a commoditizable surface that any agent framework can ship.

The third is competitive response. Cloudflare, Stripe, Workday, Salesforce, and Microsoft are all shipping agent identity and authorization products in 2026. The hyperscalers in particular have the identity primitives to make this look like a feature they can ship in a quarter. The reason a $60M round into a startup here still makes sense is that the hyperscalers keep treating agent authorization as a feature, not a platform, and the platform layer is what production agent deployments need. If the hyperscalers reframe their agent identity products as platforms in the next 12 months, the calculus changes. The fact that SYN Ventures, Morgan Stanley, and Wipro are all in the round is the bet that they will not.

For organizations adopting AI agents, the practical takeaway is that authorization and governance are now a permanent part of the agent stack, not a roadmap item. The Enterprise AI Governance Checklist for 2026 covers the wider governance framing for teams rolling out production agent workflows, and the round at Arcade is the first major funding event to put a real number on how serious the buyer demand is.